Add support for encrypting Horizon and Placement API

This patch introduces an optional backend encryption for Horizon and
Placement services. When used in conjunction with enabling TLS for
service API endpoints, network communcation will be encrypted end to
end, from client through HAProxy to the Horizon and Placement services.

Change-Id: I9cb274141c95aea20e733baa623da071b30acf2d
Partially-Implements: blueprint add-ssl-internal-network

ansible/roles/horizon/defaults/main.yml

@@ -47,6 +47,7 @@ horizon_services:
         listen_port: "{{ horizon_listen_port }}"
         backend_http_extra:
           - "balance source"
+        tls_backend: "{{ horizon_enable_tls_backend }}"
       horizon_redirect:
         enabled: "{{ enable_horizon|bool and kolla_enable_tls_internal|bool }}"
         mode: "redirect"
@@ -61,6 +62,7 @@ horizon_services:
         listen_port: "{{ horizon_listen_port }}"
         backend_http_extra:
           - "balance source"
+        tls_backend: "{{ horizon_enable_tls_backend }}"
       horizon_external_redirect:
         enabled: "{{ enable_horizon|bool and kolla_enable_tls_external|bool }}"
         mode: "redirect"
@@ -124,3 +126,8 @@ horizon_dev_mode: "{{ kolla_dev_mode }}"
 horizon_murano_dev_mode: "{{ kolla_dev_mode }}"
 horizon_source_version: "{{ kolla_source_version }}"
 horizon_murano_source_version: "{{ kolla_source_version }}"
+
+####################
+# TLS
+####################
+horizon_enable_tls_backend: "{{ kolla_enable_tls_backend }}"

ansible/roles/horizon/tasks/config.yml

@@ -135,7 +135,7 @@
 
 - include_tasks: copy-certs.yml
   when:
-    - kolla_copy_ca_into_containers | bool
+    - kolla_copy_ca_into_containers | bool or horizon_enable_tls_backend | bool
 
 - include_tasks: check-containers.yml
   when: kolla_action != "config"

ansible/roles/horizon/templates/horizon.conf.j2

@@ -1,5 +1,12 @@
 {% set python_path = '/usr/share/openstack-dashboard' if horizon_install_type == 'binary' else '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
 
+{% if horizon_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos']  %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
 Listen {{ api_interface_address | put_address_in_context('url') }}:{{ horizon_listen_port }}
 
 ServerSignature Off
@@ -35,6 +42,12 @@ TraceEnable off
     <Location "/static">
         SetHandler None
     </Location>
+
+{% if horizon_enable_tls_backend | bool %}
+    SSLEngine On
+    SSLCertificateFile /etc/horizon/certs/horizon-cert.pem
+    SSLCertificateKeyFile /etc/horizon/certs/horizon-key.pem
+{% endif %}
 </VirtualHost>
 
 {# FIXME(yoctozepto): enabling of either tls will break the other if not enabled too #}

ansible/roles/horizon/templates/horizon.json.j2

@@ -29,6 +29,18 @@
             "dest": "/etc/openstack-dashboard/custom_local_settings",
             "owner": "horizon",
             "perm": "0600"
-        }
+        }{% if horizon_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/horizon-cert.pem",
+            "dest": "/etc/horizon/certs/horizon-cert.pem",
+            "owner": "horizon",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/horizon-key.pem",
+            "dest": "/etc/horizon/certs/horizon-key.pem",
+            "owner": "horizon",
+            "perm": "0600"
+        }{% endif %}
     ]
 }

ansible/roles/placement/defaults/main.yml

@@ -16,12 +16,14 @@ placement_services:
         external: false
         port: "{{ placement_api_port }}"
         listen_port: "{{ placement_api_listen_port }}"
+        tls_backend: "{{ placement_enable_tls_backend }}"
       placement_api_external:
         enabled: "{{ enable_placement }}"
         mode: "http"
         external: true
         port: "{{ placement_api_port }}"
         listen_port: "{{ placement_api_listen_port }}"
+        tls_backend: "{{ placement_enable_tls_backend }}"
 
 ####################
 # Database
@@ -108,3 +110,8 @@ placement_ks_users:
     user: "{{ placement_keystone_user }}"
     password: "{{ placement_keystone_password }}"
     role: "admin"
+
+####################
+# TLS
+####################
+placement_enable_tls_backend: "{{ kolla_enable_tls_backend }}"

ansible/roles/placement/tasks/config.yml

@@ -33,7 +33,7 @@
 
 - include_tasks: copy-certs.yml
   when:
-    - kolla_copy_ca_into_containers | bool
+    - kolla_copy_ca_into_containers | bool or placement_enable_tls_backend | bool
 
 - name: Copying over config.json files for services
   become: true

ansible/roles/placement/templates/placement-api-wsgi.conf.j2

@@ -5,7 +5,13 @@
     {% set python_path = '/var/lib/kolla/venv/lib/python' + distro_python_version + '/site-packages' %}
 {% endif %}
 {% set wsgi_directory = '/usr/bin' if placement_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
-
+{% if placement_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos']  %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
 Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_api_listen_port }}
 
 ServerSignature Off
@@ -33,4 +39,9 @@ LogLevel info
             Require all granted
         </Files>
     </Directory>
+{% if placement_enable_tls_backend | bool %}
+    SSLEngine on
+    SSLCertificateFile /etc/placement/certs/placement-cert.pem
+    SSLCertificateKeyFile /etc/placement/certs/placement-key.pem
+{% endif %}
 </VirtualHost>

ansible/roles/placement/templates/placement-api.json.j2

@@ -26,7 +26,19 @@
             "dest": "/etc/placement/migrate-db.rc",
             "owner": "placement",
             "perm": "0600"
-        }
+        }{% if placement_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/placement-cert.pem",
+            "dest": "/etc/placement/certs/placement-cert.pem",
+            "owner": "placement",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/placement-key.pem",
+            "dest": "/etc/placement/certs/placement-key.pem",
+            "owner": "placement",
+            "perm": "0600"
+        }{% endif %}
     ],
     "permissions": [
         {

releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml

@@ -2,7 +2,7 @@
 features:
   - |
     Added configuration options to enable backend TLS encryption from HAProxy
-    to the Keystone, Glance, Heat, and Cinder services. When used in
+    to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services.
-    conjunction with enabling TLS for service API endpoints, network
+    When used in conjunction with enabling TLS for service API endpoints,
-    communcation will be encrypted end to end, from client through HAProxy to
+    network communcation will be encrypted end to end, from client through
-    the backend service.
+    HAProxy to the backend service.